Skip to content

Commit

Permalink
Add feature flag rustls-tls for custom ca feature (#109)
Browse files Browse the repository at this point in the history
  • Loading branch information
Owen-CH-Leung authored Nov 11, 2023
1 parent 2cbb3e3 commit b9f8a1d
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 2 deletions.
3 changes: 1 addition & 2 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -22,14 +22,13 @@ exclude = [
[features]
# By default we use rustls for TLS
default = ["rustls-tls"]
rustls-tls = ["ureq/tls"]
rustls-tls = ["ureq/tls", "rustls-pemfile", "rustls"]
# If this feature is enabled we instead use the native TLS implementation for the
# target platform
native-tls = [
"ureq/native-tls",
"native-tls-crate/vendored",
"rustls-pemfile",
"rustls",
]

[dependencies]
Expand Down
34 changes: 34 additions & 0 deletions src/ctx.rs
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,40 @@ impl Ctx {
builder = builder.tls_connector(std::sync::Arc::new(tls_connector));
}

#[cfg(feature = "rustls-tls")]
'custom: {
// "common"? env vars that people who use custom certs use? I guess
// this is easy to expand if it's not the case. /shrug
const CERT_ENVS: &[&str] = &["REQUESTS_CA_BUNDLE", "CURL_CA_BUNDLE", "SSL_CERT_FILE"];

let Some((env, cert_path)) = CERT_ENVS.iter().find_map(|env| {
std::env::var_os(env).map(|var| (env, std::path::PathBuf::from(var)))
}) else {
break 'custom;
};

fn build(cert_path: &std::path::Path) -> anyhow::Result<rustls::ClientConfig> {
let mut reader = std::io::BufReader::new(std::fs::File::open(cert_path)?);
let certs = rustls_pemfile::certs(&mut reader)?;
let mut root_certs = rustls::RootCertStore::empty();
root_certs.add_parsable_certificates(&certs);
let client_config = rustls::ClientConfig::builder()
.with_safe_defaults()
.with_root_certificates(root_certs)
.with_no_client_auth();
Ok(client_config)
}

let client_config = build(&cert_path).with_context(|| {
format!(
"failed to add custom cert from path '{}' configured by env var '{env}'",
cert_path.display()
)
})?;

builder = builder.tls_config(std::sync::Arc::new(client_config));
}

// Allow user to specify timeout values in the case of bad/slow proxies
// or MS itself being terrible, but default to a minute, which is _far_
// more than it should take in normal situations, as by default ureq
Expand Down

0 comments on commit b9f8a1d

Please sign in to comment.